Bangladesh is experiencing a "near-total" nationwide internet shutdown amid government efforts to control widespread student protests against the country's quota system for government jobs. The country's quota system requires a third of government jobs be reserved for relatives of veterans who had fought for independence from Pakistan.

According to Reuters, the protests "have opened old and sensitive political fault lines between those who fought for Bangladesh's independence from Pakistan in 1971 and those accused of collaborating with Islamabad." Analysts say the protests have also been "fueled by high unemployment among young people" and "wider economic woes, such as high inflation and shrinking reserves of foreign exchange." Engadget reports on the internet disruptions: To control the situation, Bangladeshi authorities shut down internet and phone access throughout the country, a common practice in South Asia to prevent the spread of rumors and misinformation and exercise state control. NetBlocks, a global internet monitor that works on digital rights analyzed live network data that showed that Bangladesh was in the middle of a "near-total national internet shutdown." [...]

Bangladesh has frequently blacked out the internet to crack down on political opposition and activists. At the end of 2023, research tool CIVICUS Monitor, which provides data on the state of civil society and freedoms in nearly 200 countries, downgraded Bangladesh's civic space to "closed," its lowest possible rating, after the country imposed six internet shutdowns the previous year. That made Bangladesh the fifth-largest perpetrator of internet shutdowns in 2022, Access Now said.

The country's telecom regulator had pledged to keep internet access on through Bangladesh's general elections at the beginning of 2024, but that electoral period is now over. Despite the pledge, Bangladesh blocked access to news websites during its elections.

An anonymous reader quotes a report from Ars Technica: Citing frustration with mobile carriers enforcing different phone-unlocking policies that are bad for consumers, the Federal Communications Commission is proposing a 60-day unlocking requirement that would apply to all wireless providers. The industry's "confusing and disparate cell phone unlocking policies" mean that "some consumers can unlock their phones with relative ease, while others face significant barriers," Commissioner Geoffrey Starks said at yesterday's FCC meeting. "It also means certain carriers are subject to mandatory unlocking requirements while others are free to dictate their own. This asymmetry is bad for both consumers and competition."

The FCC is "proposing a uniform 60-day unlocking policy" so that "consumers can choose the carrier that offers them the best value," Starks said. Unlocking a phone allows it to be used on a different carrier's network as long as the phone is compatible. The FCC approved the Notice of Proposed Rulemaking (NPRM) in a 5-0 vote. That begins a public comment period that could lead to a final rulemaking. A draft of the NPRM said the FCC "propose[s] to require all mobile wireless service providers to unlock handsets 60 days after a consumer's handset is activated with the provider, unless within the 60-day period the service provider determines the handset was purchased through fraud."

"You bought your phone, you should be able to take it to any provider you want," Rosenworcel said. "Some providers already operate this way. Others do not. In fact, some have recently increased the time their customers must wait until they can unlock their device by as much as 100 percent." Rosenworcel apparently was referring to a prepaid brand offered by T-Mobile. The NPRM draft said that "T-Mobile recently increased its locking period for one of its brands, Metro by T-Mobile, from 180 days to 365 days." The 365-day rule brought Metro into line with other T-Mobile prepaid phones that already came with the year-long lock. We reached out to T-Mobile and will update this article if it provides a comment. A merger condition imposed on T-Mobile's purchase of Sprint merely requires that it unlock prepaid phones within one year. T-Mobile imposes different unlocking policies on prepaid and postpaid phones. For postpaid devices, T-Mobile says it will unlock phones that have been active for at least 40 days, but only if any associated financing or leasing agreement has been paid in full.

An anonymous reader quotes a report from the New York Times: The image, as it happens, comes from dozens of brain scans produced by researchers at Washington University School of Medicine in St. Louis who gave psilocybin, the compound in "magic mushrooms," to participants in a study before sending them into a functional M.R.I. scanner. The kaleidoscopic whirl of colors they recorded is essentially a heat map of brain changes, with the red, orange and yellow hues reflecting a significant departure from normal activity patterns. The blues and greens reflect normal brain activity that occurs in the so-called functional networks, the neural communication pathways that connect different regions of the brain.

The scans, published Wednesday in the journal Nature, offer a rare glimpse into the wild neural storm associated with mind-altering drugs. Researchers say they could provide a potential road map for understanding how psychedelic compounds like psilocybin, LSD and MDMA can lead to lasting relief from depression, anxiety and other mental health disorders. "Psilocybin, in contrast to any other drug we've tested, has this massive effect on the whole brain that was pretty unexpected," said Dr. Nico Dosenbach, a professor of neurology at Washington University and a senior author of the study. "It was quite shocking when we saw the effect size." Brian Mathur, a systems neuroscientist at the University of Maryland School of Medicine in Baltimore, says these findings cannot show exactly what causes the therapeutic benefit of psilocybin, but "it's possible psilocybin is directly causing" the brain-network changes. That, or it is creating a psychedelic experience that in turn causes parts of the brain to behave differently.

The next step is to determine whether psilocybin's blood-flow changes in the brain or its direct effects on neurons, or both, are responsible for the brain-network disruptions. "The best part of this work is that it's going to provide a means forward for the field to develop further hypotheses that can and should be tested," Mathur says.

In its latest State of Application Security Report, Cloudflare says 6.8% of traffic on the internet is malicious, "up a percentage point from last year's study," writes ZDNet's Steven Vaughan-Nichols. "Cloudflare, the content delivery network and security services company, thinks the rise is due to wars and elections. For example, many attacks against Western-interest websites are coming from pro-Russian hacktivist groups such as REvil, KillNet, and Anonymous Sudan." From the report: [...] Distributed Denial of Service (DDoS) attacks continue to be cybercriminals' weapon of choice, making up over 37% of all mitigated traffic. The scale of these attacks is staggering. In the first quarter of 2024 alone, Cloudflare blocked 4.5 million unique DDoS attacks. That total is nearly a third of all the DDoS attacks they mitigated the previous year. But it's not just about the sheer volume of DDoS attacks. The sophistication of these attacks is increasing, too. Last August, Cloudflare mitigated a massive HTTP/2 Rapid Reset DDoS attack that peaked at 201 million requests per second (RPS). That number is three times bigger than any previously observed attack.

The report also highlights the increased importance of application programming interface (API) security. With 60% of dynamic web traffic now API-related, these interfaces are a prime target for attackers. API traffic is growing twice as fast as traditional web traffic. What's worrying is that many organizations appear not to be even aware of a quarter of their API endpoints. Organizations that don't have a tight grip on their internet services or website APIs can't possibly protect themselves from attackers. Evidence suggests the average enterprise application now uses 47 third-party scripts and connects to nearly 50 third-party destinations. Do you know and trust these scripts and connections? You should -- each script of connection is a potential security risk. For instance, the recent Polyfill.io JavaScript incident affected over 380,000 sites.

Finally, about 38% of all HTTP requests processed by Cloudflare are classified as automated bot traffic. Some bots are good and perform a needed service, such as customer service chatbots, or are authorized search engine crawlers. However, as many as 93% of bots are potentially bad.

NASA: The stars above and on Earth aligned as an inspirational message and lyrics from the song "The Rain (Supa Dupa Fly)" by hip-hop artist Missy Elliott were beamed to Venus via NASA's DSN (Deep Space Network). The agency's Jet Propulsion Laboratory in Southern California sent the transmission at 10:05 a.m. PDT on Friday, July 12. As the largest and most sensitive telecommunication service of NASA's Space Communications and Navigation (SCaN) program, the DSN has an array of giant radio antennas that allow missions to track, send commands, and receive scientific data from spacecraft venturing to the Moon and beyond. To date, the system has transmitted only one other song into space, making the transmission of Elliott's song a first for hip-hop and NASA.

"Both space exploration and Missy Elliott's art have been about pushing boundaries," said Brittany Brown, director, Digital and Technology Division, Office of Communications at NASA Headquarters in Washington, who initially pitched ideas to Missy's team to collaborate with the agency. "Missy has a track record of infusing space-centric storytelling and futuristic visuals in her music videos, so the opportunity to collaborate on something out of this world is truly fitting." The song traveled about 158 million miles (254 million kilometers) from Earth to Venus -- the artist's favorite planet. Transmitted at the speed of light, the radio frequency signal took nearly 14 minutes to reach the planet. The transmission was made by the 34-meter (112-foot) wide Deep Space Station 13 (DSS-13) radio dish antenna, located at the DSN's Goldstone Deep Space Communications Complex, near Barstow in California. Coincidentally, the DSS-13 also is nicknamed Venus.

At least a dozen organizations with domain names at domain registrar Squarespace saw their websites hijacked last week. Krebs on Security: Squarespace bought all assets of Google Domains a year ago, but many customers still haven't set up their new accounts. Experts say malicious hackers learned they could commandeer any migrated Squarespace accounts that hadn't yet been registered, merely by supplying an email address tied to an existing domain. The Squarespace domain hijacks, which took place between July 9 and July 12, appear to have mostly targeted cryptocurrency businesses, including Celer Network, Compound Finance, Pendle Finance, and Unstoppable Domains. In some cases, the attackers were able to redirect the hijacked domains to phishing sites set up to steal visitors' cryptocurrency funds.

New York City-based Squarespace purchased roughly 10 million domain names from Google Domains in June 2023, and it has been gradually migrating those domains to its service ever since. Squarespace has not responded to a request for comment, nor has it issued a statement about the attacks. But an analysis released by security experts at Metamask and Paradigm finds the most likely explanation for what happened is that Squarespace assumed all users migrating from Google Domains would select the social login options -- such "Continue with Google" or "Continue with Apple" -- as opposed to the "Continue with email" choice.

Two of the nation's major telecommunications companies are feuding over a plan to boost service for police, firefighters and other state and local agencies -- a move Verizon says would amount to a $14 billion gift to rival. From a report: AT&T and its allies are asking regulators to provide more wireless frequencies to FirstNet, a cellular network launched in 2017 to connect emergency responders and other public-sector groups. The Dallas-based telecom giant holds an exclusive 25-year contract to run the network for the federal FirstNet Authority, which oversees the project.

Rival telecom companies say the proposal would let AT&T's commercial business piggyback on those airwaves free. Verizon, which vies with FirstNet for public-safety contracts, called the proposal a giveaway of spectrum valued at around $14 billion that would give its competitor a "substantial windfall." T-Mobile US likewise urged regulators to avoid a "FirstNet takeover" of the spectrum. The carrier hasn't made its case as forcefully as Verizon, whose chief executive traveled to Washington twice in recent weeks to lobby regulators.

TechSpot writes: Users of the Linksys Velop Pro 6E and 7 mesh routers should change their passwords and Wi-Fi network names through an external web browser. The two models transmit critical information to outside servers in an insecure manner upon initial installation. New patches have emerged since the issue was discovered, but Linksys hasn't publicly responded to the matter, and it is unclear if the latest firmware leaves sensitive data exposed to interception.
The issue was discovered by Testaankoop, the Belgian equivalent of the Consumers' Association. And they warned Linksys back in November, according to the tech news site Stack Diary. (The practice could leave passwords and other information vulnerable to Man-in-the-Middle attacks.) Testaankoop suspects the security issue might stem from third-party software used in the Linksys firmware. However, they emphasize that this does not excuse the vulnerability.
Thanks to long-time Slashdot reader schwit1 for sharing the news.

A 2023 red team exercise by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) at an unnamed federal agency exposed critical security failings, including unpatched vulnerabilities, inadequate incident response, and weak credential management, leading to a full domain compromise. According to The Register's Connor Jones, the agency failed to detect or remediate malicious activity for five months. From the report: According to the agency's account of the exercise, the red team was able to gain initial access by exploiting an unpatched vulnerability (CVE-2022-21587 - 9.8) in the target agency's Oracle Solaris enclave, leading to what it said was a full compromise. It's worth noting that CVE-2022-21587, an unauthenticated remote code execution (RCE) bug carrying a near-maximum 9.8 CVSS rating, was added to CISA's known exploited vulnerability (KEV) catalog in February 2023. The initial intrusion by CISA's red team was made on January 25, 2023. "After gaining access, the team promptly informed the organization's trusted agents of the unpatched device, but the organization took over two weeks to apply the available patch," CISA's report reads. "Additionally, the organization did not perform a thorough investigation of the affected servers, which would have turned up IOCs and should have led to a full incident response. About two weeks after the team obtained access, exploit code was released publicly into a popular open source exploitation framework. CISA identified that the vulnerability was exploited by an unknown third party. CISA added this CVE to its Known Exploited Vulnerabilities Catalog on February 2, 2023." [...]

After gaining access to the Solaris enclave, the red team discovered they couldn't pivot into the Windows part of the network because missing credentials blocked their path, despite enjoying months of access to sensitive web apps and databases. Undeterred, CISA managed to make its way into the Windows network after carrying out phishing attacks on unidentified members of the target agency, one of which was successful. It said real adversaries may have instead used prolonged password-praying attacks rather than phishing at this stage, given that several service accounts were identified as having weak passwords. After gaining that access, the red team injected a persistent RAT and later discovered unsecured admin credentials, which essentially meant it was game over for the agency being assessed. "None of the accessed servers had any noticeable additional protections or network access restrictions despite their sensitivity and critical functions in the network," CISA said.

CISA described this as a "full domain compromise" that gave the attackers access to tier zero assets -- the most highly privileged systems. "The team found a password file left from a previous employee on an open, administrative IT share, which contained plaintext usernames and passwords for several privileged service accounts," the report reads. "With the harvested Lightweight Directory Access Protocol (LDAP) information, the team identified one of the accounts had system center operations manager (SCOM) administrator privileges and domain administrator privileges for the parent domain. "They identified another account that also had administrative permissions for most servers in the domain. The passwords for both accounts had not been updated in over eight years and were not enrolled in the organization's identity management (IDM)." From here, the red team realized the victim organization had trust relationships with multiple external FCEB organizations, which CISA's team then pivoted into using the access they already had.

The team "kerberoasted" one partner organization. Kerberoasting is an attack on the Kerberos authentication protocol typically used in Windows networks to authenticate users and devices. However, it wasn't able to move laterally with the account due to low privileges, so it instead used those credentials to exploit a second trusted partner organization. Kerberoasting yielded a more privileged account at the second external org, the password for which was crackable. CISA said that due to network ownership, legal agreements, and/or vendor opacity, these kinds of cross-organizational attacks are rarely tested during assessments. However, SILENTSHIELD assessments are able to be carried out following new-ish powers afforded to CISA by the FY21 National Defense Authorization Act (NDAA), the same powers that also allow CISA's Federal Attack Surface Testing (FAST) pentesting program to operate. It's crucial that these avenues are able to be explored in such exercises because they're routes into systems adversaries will have no reservations about exploring in a real-world scenario. For the first five months of the assessment, the target FCEB agency failed to detect or remediate any of the SILENTSHIELD activity, raising concerns over its ability to spot genuine malicious activity. CISA said the findings demonstrated the need for agencies to apply defense-in-depth principles. The cybersecurity agency recommended network segmentation and a Secure-by-Design commitment.

Southwest Airlines has signed a deal with Archer Aviation to develop plans for an on-demand eVTOL (electric vertical takeoff and landing) service in California. The Verge reports: The service will operate using Archer's battery-powered, four-passenger, tilt-rotor Midnight aircraft, which are designed to take off and land vertically from a landing strip like a helicopter. As part of the deal, the aircraft will get access to 14 California airports where Southwest operates. [...] Archer claims that trips that normally take 60-90 minutes by car can be done in 10-20 minutes in the company's air taxis.

Archer came out of stealth in spring 2020 after having poached key talent from Wisk and Airbus' Vahana project. (That fact spurred a lawsuit from Wisk for alleged trade secret theft, which was finally settled last year.) The company has a $1 billion order from United Airlines for its eVTOL aircraft and a deal to mass-produce its eVTOL craft with global automaker Stellantis.

Archer recently received a Part 135 air carrier certification from the Federal Aviation Administration, which the company will need to operate an on-demand air taxi service. Archer has said it plans on launching before the end of 2025. [...] As part of the deal, Archer will work with Southwest and its partners on the development of an air taxi network across California. That includes the unions of Southwest employees, like the Southwest Airlines Pilots Association.

U.S. phone giant AT&T confirmed Friday it will begin notifying millions of consumers about a fresh data breach that allowed cybercriminals to steal the phone records of "nearly all" of its customers. TechCrunch: In a statement, AT&T said that the stolen data contains phone numbers of both cellular and landline customers, as well as AT&T records of calls and text messages -- such as who contacted who by phone or text -- during a six-month period between May 1, 2022 and October 31, 2022. AT&T said some of the stolen data includes more recent records from January 2, 2023 for a smaller but unspecified number of customers.

The stolen data also includes call records of customers with phone service from other cell carriers that rely on AT&T's network, the company said. [...] In all, the phone giant said it will notify around 110 million AT&T customers of the data breach, company spokesperson Andrea Huguely told TechCrunch.

DVD kiosk-rental business Redbox is all set to close the shutter. LowPass: The judge overseeing the bankruptcy case of Redbox's corporate parent Chicken Soup for the Soul Entertainment granted the debtors request to convert it from a Chapter 11 bankruptcy to a Chapter 7 bankruptcy, effectively paving the way for shutting down the company and liquidating its assets. Chicken Soup for the Soul Entertainment's CEO Bart Schwartz, who had only joined the company two weeks ago, stepped down this morning for unrelated reasons, according to the attorney representing the debtors in the case.

Companies use Chapter 11 bankruptcy cases to reorganize, allowing them to continue to operate while they rid themselves of debt, while a Chapter 7 bankruptcy generally results in a trustee selling off company assets to pay creditors, and winding down the company. "There is no means to continue to pay employees, pay any bills, otherwise finance this case. It is hopelessly insolvent," United States bankruptcy judge Thomas Horan determined during a hearing Wednesday, adding: "Given the fact that there may also be at least the possibility of misappropriation of funds that were held in trust for employees, there is more than ample reason why this case should be converted. So I am going to grant the motion." The firm operates a network of 24,000 DVD rental kiosks.

An anonymous reader quotes a report from Reuters: The German government and mobile phone carriers have agreed in principle on steps to phase components by Chinese technology companies out of the nation's 5G wireless network over the next five years, two people familiar with the matter told Reuters on Wednesday. Newspaper Sueddeutsche Zeitung as well as broadcasters NDR and WDR earlier jointly reported the news, saying the agreement gives network operators Deutsche Telekom, Vodafone, and Telefonica Deutschland more time to replace critical parts. Under the preliminary agreement driven by security considerations, operators will initially rid the country's core network of 5G data centers of technology made by companies such as Huawei and ZTE in 2026, said the sources, adding that a final pact has yet to be signed. In a second phase, the role of Chinese makers' parts for antennas, transmission lines and towers should be all but eliminated by 2029, they added. "The government is acting on the basis of the national security strategy and China strategy to reduce possible security risks and dependencies," said a spokesperson for Germany's interior ministry.

wiredmikey shares a report from SecurityWeek: Security vendor InkBridge Networks on Tuesday called urgent attention to the discovery of a thirty-year-old design flaw in the RADIUS protocol and warned that advanced attackers can launch exploits to authenticate anyone to a local network, bypassing any multi-factor-authentication (MFA) protections. The company published a technical description of what is being called the BlastRADIUS attack and warned that corporate networks such as internal enterprise networks, ISPs, and telcos are exposed to major risk. The vulnerability is being tracked as CVE-2024-3596 and VU#456537. "The root cause of the attack is that in the RADIUS protocol, some Access-Request packets are not authenticated and lack integrity checks. An attacker can modify these packets in a way which allows them to control who gets onto the network," the research team explained (PDF).

The RADIUS protocol, first standardized in the late 1990s, is used to control network access via authentication, authorization, and accounting and is still used widely today in switches, routers, access points and VPN products. "All of those devices are likely vulnerable to this attack," the researchers warned. "The key to the attack is that in many cases, Access-Request packets have no authentication or integrity checks. An attacker can then perform a chosen prefix attack, which allows modifying the Access-Request in order to replace a valid response with one chosen by the attacker. Even though the response is authenticated and integrity checked, the chosen prefix vulnerability allows the attacker to modify the response packet, almost at will," according to the InkBridge Networks documentation. The researchers say that every single RADIUS server must be upgraded in order to protect against this vulnerability. "It is not sufficient to upgrade only RADIUS clients, as doing so will allow the network to remain vulnerable."

Australia's government cybersecurity agency on Tuesday accused a China-backed hacker group of stealing passwords and usernames from two unnamed Australian networks in 2022, adding that the group remained a threat. From a report: A joint report led by the Australian Cyber Security Centre said the hackers, named APT40, had conducted malicious cyber operations for China's Ministry of State Security, the main agency overlooking foreign intelligence. "The activity and techniques overlap with the groups tracked as Advanced Persistent Threat (APT) 40," said the report, which included inputs from lead cyber security agencies for the United States, Britain, Canada, New Zealand, Japan, South Korea and Germany. U.S. and British officials in March had accused Beijing of a sweeping cyberespionage campaign that allegedly hit millions of people including lawmakers, academics and journalists, and companies including defense contractors. They said China-backed "APT31" was responsible for the network intrusion.

Paramount Global has agreed to merge with Skydance in a significant deal that will see the Redstone family relinquish control of the storied movie studio and media company. The merger, valued at over $8 billion, involves a consortium including RedBird Capital Partners and KKR, and is expected to close in the third quarter of 2025, subject to regulatory approval. CNBC reports: The deal gives National Amusements an enterprise value of $2.4 billion, which includes $1.75 billion in equity. Paramount's class A shareholders will receive $23 apiece in cash or stock, while class B stockholders will receive $15 per share, equating to a cash consideration totaling $4.5 billion available to public shareholders. As part of the deal Skydance will also inject $1.5 billion of capital into Paramount's balance sheet. "It's a new Paramount; it's not just a catchphrase," said RedBird's Jeff Shell, former CEO of NBCUniversal, on a call with investors Monday. "We think it's going to be a new day for these combined assets."

Skydance founder David Ellison will lead the combined company as CEO, while Shell will serve as president. The merger is subject to regulatory approval and expected to close in the third quarter of 2025. It also includes a 45-day "go-shop period," in which the Paramount special committee can solicit other offers. A completed Skydance merger would mark a major shift for the ownership of Paramount, as well as for Hollywood as a whole. The Redstone family has long controlled the movie studio -- known for films such as "The Godfather," "Top Gun" and "Forrest Gump" -- as well as the CBS broadcast network and cable TV networks including MTV and Nickelodeon. Now, Ellison, 41, son of Oracle founder and billionaire Larry Ellison, will be at the helm of a major movie studio and among Hollywood's elite. "It's been a long time since a creative executive ran one of the big Hollywood companies," Shell said on Monday's call. "And I think it's really important when creative is the core."

Harvard Business School has an "Institute for Business in Global Society" that explores the societal impacts of business. And they've recently published some new AI-powered research about EV charging infrastructure, according to the Institute's blog, conducted by climate fellow Omar Asensio.

"Asensio and his team, supported by Microsoft and National Science Foundation awards, spent years building models and training AI tools to extract insights and make predictions," using the reviews drivers left (in more than 72 languages) on the smartphone apps drivers use to pay for charging. And ultimately this research identified "a significant obstacle to increasing electric vehicle (EV) sales and decreasing carbon emissions in the United States: owners' deep frustration with the state of charging infrastructure, including unreliability, erratic pricing, and lack of charging locations..." [C]harging stations in the U.S. have an average reliability score of only 78%, meaning that about one in five don't work. They are, on average, less reliable than regular gas stations, Asensio said. "Imagine if you go to a traditional gas station and two out of 10 times the pumps are out of order," he said. "Consumers would revolt...." EV drivers often find broken equipment, making charging unreliable at best and simply not as easy as the old way of topping off a tank of gas. The reason? "No one's maintaining these stations," Asensio said.
One problem? Another blog post by the Institute notes that America's approach to public charging has differed sharply from those in other countries: In Europe and Asia, governments started making major investments in public charging infrastructure years ago. In America, the initial thinking was that private companies would fill the public's need by spending money to install charging stations at hotels, shopping malls and other public venues. But that decentralized approach failed to meet demand and the Biden administration is now investing heavily to grow the charging network and facilitate EV sales... "No single market actor has sufficient incentive to build out a national charging network at a pace that meets our climate goals," the report declared. Citing research and the experience of other countries, it noted that "policies that increase access to charging stations may be among the best policies to increase EV sales." But the U.S. is far behind other countries.
Thanks to Slashdot reader NoWayNoShapeNoForm for sharing the article.

Monday Boeing announced plans to acquire its key supplier, Spirit AeroSystems, for $4.7 billion, according to the Associated Press — "a move that it says will improve plane quality and safety amid increasing scrutiny by Congress, airlines and the Department of Justice. Boeing previously owned Spirit, and the purchase would reverse a longtime Boeing strategy of outsourcing key work on its passenger planes."

But meanwhile, an anonymous reader shared this report from Newsweek: More than a hundred Boeing whistleblowers have contacted the U.S. aviation watchdog since the start of the year, Newsweek can reveal. Official figures show that the Federal Aviation Administration's (FAA) whistleblowing hotline has seen a huge surge of calls from workers concerned about safety problems. Since January the watchdog saw a total of 126 reports, via various channels, from workers concerned about safety problems. In 2023, there were just 11....

After a visit from FAA Administrator Mike Whitaker to a Boeing factory earlier in the year, Boeing CEO Dave Calhoun agreed to share details of the hotline with all Boeing employees. The FAA told Newsweek that the number of Boeing employees coming forward was a "sign of a healthy culture".... Newsweek also spoke to Jon Holden, president of the 751 District for the International Association of Machinists, Boeing's largest union which represents more than 32,000 aerospace workers. Holden said that numerous whistleblowers had complained to the FAA over Boeing's attempt to cut staff and reduce inspections in an effort to "speed up the rate" at which planes went out the door...

Holden's union is currently in contract negotiations with Boeing, and is attempting to secure a 40% pay rise alongside a 50-year guarantee of work security for its members.
CNN also reports on new allegations Wednesday from a former Boeing quality-control manager: that "for years workers at its 787 Dreamliner factory in Everett, Washington, routinely took parts that were deemed unsuitable to fly out of an internal scrap yard and put them back on factory assembly lines." In his first network TV interview, Merle Meyers, a 30-year veteran of Boeing, described to CNN what he says was an elaborate off-the-books practice that Boeing managers at the Everett factory used to meet production deadlines, including taking damaged and improper parts from the company's scrapyard, storehouses and loading docks... Meyers' claims that lapses he witnessed were intentional, organized efforts designed to thwart quality control processes in an effort to keep up with demanding production schedules. Beginning in the early 2000s, Meyers says that for more than a decade, he estimates that about 50,000 parts "escaped" quality control and were used to build aircraft. Those parts include everything from small items like screws to more complex assemblies like wing flaps. A single Boeing 787 Dreamliner, for example, has approximately 2.3 million parts...

Based on conversations Meyers says he had with current Boeing workers in the time since he left the company, he believes that while employees no longer remove parts from the scrapyard, the practice of using other unapproved parts in assembly lines continues. "Now they're back to taking parts of body sections — everything — right when it arrives at the Everett site, bypassing quality, going right to the airplane," Meyers said.

Company emails going back years show that Meyers repeatedly flagged the issue to Boeing's corporate investigations team, pointing out what he says were blatant violations of Boeing's safety rules. But investigators routinely failed to enforce those rules, Meyers says, even ignoring "eye witness observations and the hard work done to ensure the safety of future passengers and crew," he wrote in an internal 2022 email provided to CNN.

Longtime Slashdot reader Artem S. Tashkinov shares a report from The Hacker News: A group of security researchers from the Graz University of Technology have demonstrated a new side-channel attack known as SnailLoad that could be used to remotely infer a user's web activity. "SnailLoad exploits a bottleneck present on all Internet connections," the researchers said in a study released this week. "This bottleneck influences the latency of network packets, allowing an attacker to infer the current network activity on someone else's Internet connection. An attacker can use this information to infer websites a user visits or videos a user watches." A defining characteristic of the approach is that it obviates the need for carrying out an adversary-in-the-middle (AitM) attack or being in physical proximity to the Wi-Fi connection to sniff network traffic. Specifically, it entails tricking a target into loading a harmless asset (e.g., a file, an image, or an ad) from a threat actor-controlled server, which then exploits the victim's network latency as a side channel to determine online activities on the victim system.

To perform such a fingerprinting attack and glean what video or a website a user might be watching or visiting, the attacker conducts a series of latency measurements of the victim's network connection as the content is being downloaded from the server while they are browsing or viewing. It then involves a post-processing phase that employs a convolutional neural network (CNN) trained with traces from an identical network setup to make the inference with an accuracy of up to 98% for videos and 63% for websites. In other words, due to the network bottleneck on the victim's side, the adversary can deduce the transmitted amount of data by measuring the packet round trip time (RTT). The RTT traces are unique per video and can be used to classify the video watched by the victim. The attack is so named because the attacking server transmits the file at a snail's pace in order to monitor the connection latency over an extended period of time.

An anonymous reader shares a report: It resembles an enormous, malevolent robot from 1980s sci-fi but West Japan Railway's new humanoid employee was designed with nothing more sinister than a spot of painting and gardening in mind. Starting this month, the large machine with enormous arms, a crude, disproportionately small Wall-E-like head and coke-bottle eyes mounted on a truck -- which can drive on rails -- will be put to use for maintenance work on the company's network. Its operator sits in a cockpit on the truck, "seeing" through the robot's eyes via cameras and operating its powerful limbs and hands remotely. With a vertical reach of 12 metres (40ft), the machine can use various attachments for its arms to carry objects as heavy as 40kg (88lb), hold a brush to paint or use a chainsaw. For now, the robot's primary task will focus on trimming tree branches along rails and painting metal frames that hold cables above trains, the company said. The technology will help fill worker shortages in ageing Japan as well as reduce accidents such as workers falling from high places or suffering electric shocks, the company said.